The Balancer Labs team was recently notified of a potentially exploitable Denial of Service (DoS) scenario thanks to a benevolent hacker who properly disclosed the vulnerability through Immunefi. We want to stress that user funds are not at risk; the DoS would transfer these tokens out of the Vault and into the ProtocolFeesCollector which is controlled by Balancer governance. The scenario in question involves double entry-point ERC20 tokens, including but not limited to Synthetix tokens (e.g., SNX and sBTC), and Balancer Flash loans.
- Proxy Architecture Pattern: This, in the context of ERC20 tokens, is a token composed of two parts: a proxy and a target. In general, users only need to think about the proxy; it is all that they need to use to send, swap, or stake their token. Under the hood, however, the proxy points to a target contract that implements underlying logic and can be replaced in order to upgrade token behavior. These are explained in depth here.
- Double Entry-Point ERC20 Token: This is an ERC20 with a Proxy Architecture Pattern that allows users (and contracts) to interact directly with the target contract, skipping the proxy. Since it is possible to interact with both the proxy and the target directly, the token has two entry-points.
If a user executes a Balancer Flash loan for both entry-points of the same token in descending amounts and immediately repays it, the repayment of the loan will be interpreted as an excess of tokens at the second entry-point and the Vault will therefore send the difference to the ProtocolFeesCollector. This can leave a pool in a state of thinking it has more tokens than it does, resulting in failed transactions on swaps and pool exits.
Fortunately, Balancer governance controls access to the ProtocolFeesCollector, so there is nothing an attacker can do with these funds after they are sent to the contract. All they can do is temporarily deny access to these funds for any pools containing the relevant tokens.
Currently, the only known double entry-point tokens included in Balancer pools are SNX and sBTC on Ethereum mainnet. The main pools that are affected by this vulnerability are:
- SNX/WETH: https://app.balancer.fi/#/pool/0x072f14b85add63488ddad88f855fda4a99d6ac9b000200000000000000000027
- wBTC/renBTC/sBTC: https://app.balancer.fi/#/pool/0xfeadd389a5c427952d8fdb8057d6c8ba1156cc56000000000000000000000066
We will take the following action(s):
- Revoke all outstanding permissions on withdrawing funds from the ProtocolFeesCollector so that not even a previously approved entity can access the tokens in question.
- Execute a transaction, as described in the bug report, to transfer sBTC and SNX tokens from the Vault to the ProtocolFeesCollector and thereby pause certain operations within the relevant pools. This mitigates risk of unknown attack vectors that might exist by placing funds under control of governance. Funds will be inaccessible for a short time during this process; we currently estimate about a week.
- Deploy a relayer contract that allows any owner of the relevant pools’ BPT to atomically withdraw funds from the ProtocolFeesCollector to the Vault and exit the pool proportionally. This procedure will have to be executed by each LP individually but will ensure that all LPs are made whole. This relayer will be developed by Balancer Labs but, like all relayers, must be approved by Balancer governance before going live.
As a possible alternative to step 3, we are speaking with the Synthetix team about upgrading their token implementation contracts. If they are able to successfully remove the second entry-point, the token contracts could be upgraded in place and the tokens returned to the Vault without any intervention required from LPs.
This is everything we know now and we will provide timely updates if there are any important changes.